To: 


Of: 


ICO. 


Information Commissioner’s Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


ENFORCEMENT NOTICE 


Digital Growth Experts Limited 


International House, 12 Constance Street, London E16 2DQ 


The Information Commissioner (“Commissioner”) has decided to issue 
Digital Growth Experts Limited (“DGE”) with an enforcement notice 
under section 40 of the Data Protection Act 1998 (“DPA”). The notice is 
in relation to a serious contravention of Regulations 22 and 23 of the 
Privacy and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner's decision. 


Legal framework 


DGE, whose registered office is given above (Companies House 
Registration Number: 12373841) is the organisation stated in this 
notice to have transmitted unsolicited communications by means of 
electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 
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“(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 


5. 
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Regulation 23 of PECR states that “A person shall neither transmit, nor 


instigate the transmission of, a communication for the purposes of 


direct marketing by means of electronic mail — 


(a) where the identity of the person on whose behalf the 
communication has been sent has been disguised or 


concealed; 


(b) where a valid address to which the recipient of the 
communication may send a request that such 


communications cease has not been provided 


(c) where that electronic mail would contravene regulation 7 of 
the Electronic Commerce (EC Directive) Regulations 2002; 


or 


(d) where that electronic mail encourages recipients to visit 


websites which contravene that regulation.” 


Section 11(3) of the DPA defines “direct marketing” as “the 
communication (by whatever means) of any advertising or marketing 
material which is directed to particular individuals”. This definition also 


applies for the purposes of PECR (see regulation 2(2)). 


Consent is defined in the European Directive 95/46/EC as “any freely 
given specific and informed indication of his wishes by which the data 
subject signifies his agreement to personal data relating to him being 


processed”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 
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A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 


a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


PECR implements European legislation (Directive 2002/58/EC) aimed at 
the protection of the individual’s fundamental right to privacy in the 
electronic communications sector. PECR was amended for the purpose 
of giving effect to Directive 2009/136/EC which amended and 
strengthened the 2002 provisions. The Commissioner approaches PECR 


so as to give effect to the Directives. 


The DPA contains enforcement provisions at Part V which are 
exercisable by the Commissioner. Those provisions are modified and 
extended for the purposes of PECR by Schedule 1 PECR. 


Section 40(1)(a) of the DPA (as extended and modified by PECR) 
provides that if the Commissioner is satisfied that a person has 
contravened or is contravening any of the requirements of the 
Regulations, he may serve him with an Enforcement Notice requiring 
him to take within such time as may be specified in the Notice, or to 
refrain from taking after such time as may be so specified, such steps 


as are so specified. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of that Act). 
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The contravention 


The Commissioner finds that DGE contravened regulations 22 and 23 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 29 February 2020 and 30 April 
2020 there were 16,190 direct marketing text messages received by 
subscribers. The Commissioner finds that DGE transmitted the direct 


marketing messages sent, contrary to regulation 22 of PECR. 


The Commissioner is satisfied that the contravention could have been 
higher, with a total of 17,241 text messages being sent over the 


relevant time. 


DGE, as the sender of the direct marketing, is required to ensure that it 
is acting in compliance with the requirements of regulation 22 of PECR, 
and to ensure that valid consent to send those messages had been 


acquired. 


In this instance DGE have been unable to evidence any such consent, 
instead providing unclear and inconsistent explanations for its practices 
and the means by which it obtains the data used for its direct 
marketing. Indeed, from the information provided, and as far as the 
Commissioner can determine, it appears that DGE has relied on data 
scraped from an online marketplace account belonging to its Director, 
which he had operated since 2003, albeit claiming that the data used 
was obtained only over the previous 24 months. There is no evidence 


that valid consent had been obtained from any of the individuals whose 
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data had been used in this way, or that any of the individuals had any 


previous relationship with DGE whatsoever. 


DGE also used data obtained via social media advertisements which 
purported to offer free samples of a product to individuals, and then 
automatically opted them in to receiving direct marketing. From the 
evidence provided, it does not appear that individuals were advised 
that their data would be used for this purpose, nor were individuals 
given a simple means of refusing the use of their contact details for 


this purpose. 


Neither of the above methods of data collection constitutes adequate 
means of obtaining valid consent, and nor would DGE be able to avail 
itself to regulation 22(3) PECR (the “soft opt-in”). 


DGE stated that some of its marketing texts were sent to individuals 
who had previously expressed an interest in ‘eBay’ offers on the 
Director’s account page. It is however, in the Commissioner's view, 
simply not possible that individuals whose data has been held on the 
Director’s own ‘eBay’ account since 2003, or even those who may have 
expressed an interest in unrelated products on this account within the 
previous 24 months, could have provided valid consent to receive 
direct marketing text messages from DGE in relation to hand sanitiser 
many years later. Indeed, it is unlikely that such individuals would 
have any knowledge of DGE, which is likely not to have even been 
incorporated at the time they expressed an interest in offers on the 
Director’s own page. Rather, it appears to the Commissioner that this 
data has been harvested from records of past auctions involving the 
Director regarding unrelated products, and used by DGE for the 
purposes of reaching as many people as possible in relation to its own 


hand sanitiser marketing campaign. 


24. 


25. 


26. 
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The Commissioner is further satisfied that, in any event, DGE cannot 

rely on the ‘soft opt-in’ exemption provided by Regulation 22(3) PECR 

for the purposes of the messages sent to individuals with whom the 

Director of DGE has a prior transaction history. The soft opt-in 

exemption firstly requires that the person sending or instigating the 

electronic mail, i.e. DGE, had obtained the contact details of the 

recipient of that electronic mail in the course of the sale or negotiations 

for the sale of a product or service to that recipient. There has been no 

evidence provided that any of the recipients, some of whom the 

Director has confirmed would have provided details to him years 

earlier, had entered into a sale, or negotiations for a sale, with DGE; 


regulation 22(3) PECR therefore cannot apply. 


In short, DGE has provided no evidence in respect of this data set to 
support a reliance on Regulation 22(3) PECR, or any evidence to 


demonstrate valid consent whatsoever. 


In terms of those individuals who had signed up to receive a sample of 
hand sanitiser through social media platforms, DGE initially provided 
some unspecific information as to how data would be collected. It has 
since been confirmed that individuals would enter their name and 
telephone number through one of these lead generation type adverts 
and would be required to agree to two privacy policies (Facebook’s and 
that of ‘Zoono.io’). The individual would then receive a text to their 
phone with a voucher code which they would need to separately input 
on ‘Zoono.io’; they would pay postage and receive their free sample. 
However, upon entry of their details at the data collection stage, and 
whether or not individuals chose to redeem the voucher code, 
individuals were automatically, and without notice, opted in to receive 
direct marketing messages from DGE, with multiple messages 


potentially being sent to them. 


27. 


28. 


29. 


30. 


31. 


© 

Information Commissioner’s Office 
Such means of obtaining consent cannot be valid, since the ‘consent’ 
being relied on cannot, at the very least, be said to have been freely 
given; nor can individuals be said to have been given a genuine choice 


as to whether or not they would wish to receive direct marketing when 


signing up to a free sample of the hand sanitiser. 


Furthermore, the ‘soft opt-in’ exemption cannot be relied on for these 
individuals since the act of applying for a free sample cannot be said to 
be a ‘sale’ or ‘negotiation of a sale’. In any event, it appears that DGE 
would send marketing to all individuals who provided their details in 
this way, and not just those who may have chosen to redeem the 
voucher for the free sample. Such subsequent direct marketing would 
fail to meet the criteria of Regulation 22(3)(a) PECR. 


In addition, from the evidence provided it is clear that the individuals 
had not, at the point their data was collected, been given a simple 
means of refusing the use of their contact details for direct marketing; 
accordingly, DGE’s direct marketing would also fail to meet the criteria 
of Regulation 22(3)(c) PECR 


Again, DGE has been unable to demonstrate any evidence of consent 
to send direct marketing messages to those individuals whose data was 
obtained via social media offers, nor can it rely on Regulation 22(3) 
PECR. 


The Commissioner further notes that the messages do not make clear 
that they are being sent by and on behalf of DGE, rather they either do 
not reference a sender at all or alternatively refer to ‘Zoono’ which is a 
product name and is not a registered trading name of DGE. DGE 
obtained permission to market Zoono products from Zoono Holdings 


Limited, a separate and distinct entity. 


32. 


33. 


34. 


35. 


36. 


37. 


© 

1C O. 

Information Commissioner's Office 
It is also apparent that a large proportion of the messages received by 


subscribers did not contain an option for recipients to opt-out of future 


marketing messages. 


The Commissioner is satisfied from the evidence she has seen that DGE 
has contravened Regulation 22 PECR for the 16,190 direct marketing 


messages received by subscribers 


Furthermore, the Commissioner is satisfied that the actions of DGE 


have contravened regulation 23 PECR. 


The Commissioner has considered, as she is required to do under 
section 40(2) of the DPA (as extended and modified by the 
Regulations) when deciding whether to serve an Enforcement Notice, 
whether any contravention has caused or is likely to cause any person 
damage. The Commissioner has decided that it is unlikely that actual 


damage has been caused in this instance. 


In view of the matters referred to above the Commissioner 
hereby gives notice that, in exercise of her powers under 
section 40 of the DPA, she requires DGE to take the steps 


specified in Annex 1 of this Notice. 


Right of Appeal 


There is a right of appeal against this Notice to the First-tier Tribunal 
(Information Rights), part of the General Regulatory Chamber. 


Information about appeals is set out in the attached Annex 2. 


Dated the 22™ day of September 2020 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
TERMS OF THE ENFORCEMENT NOTICE 
DGE shall within 30 days of the date of this notice: 


e Except in the circumstances referred to in paragraph (3) of 
regulation 22 of PECR, neither transmit, nor instigate the 
transmission of, unsolicited communications for the purposes of 
direct marketing by means of electronic mail unless the recipient of 
the electronic mail has previously notified DGE that he clearly and 
specially consents for the time being to such communications being 


sent by, or at the instigation of, DGE. 


e Furthermore, DGE shall neither transmit, nor instigate the 
transmission of, a communication for the purposes of direct 


marketing by means of electronic mail: 


(a) where the identity of the person on whose behalf the 
communication has been sent has been disguised or 


concealed; 


(b) where a valid address to which the recipient of the 
communication may send a request that such 


communications cease has not been provided 


(c) where that electronic mail would contravene regulation 7 of 
the Electronic Commerce (EC Directive) Regulations 2002; 


or 


(d) where that electronic mail encourages recipients to visit 


websites which contravene that regulation.” 
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ANNEX 2 


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 48 of the Data Protection Act 1998 gives any person upon 
whom an enforcement notice has been served a right of appeal to the 
First-tier Tribunal (Information Rights) (the “Tribunal”) against the 


notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of discretion by 
the Commissioner, that she ought to have exercised her 


discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the Tribunal 


at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 
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Telephone: 0300 123 4504 


Email: grc@justice.gov.uk 


e The notice of appeal should be served on the Tribunal within 28 


days of the date on which the enforcement notice was sent 


The statutory provisions concerning appeals to the First-tier Tribunal 
(General Regulatory Chamber) are contained in sections 48 and 49 of, 
and Schedule 6 to, the Data Protection Act 1998, and Tribunal 
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 
2009 (Statutory Instrument 2009 No. 1976 (L.20)). 
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